web
You’re offline. This is a read only version of the page.
close
Skip to Main Content

Welcome to the FastTrack Partner Community

We are strategically focused in supporting our global partners' engagements with eligible customers to leverage the value and maximize the potential of their purchased Microsoft 365 licenses.

The FastTrack Migration team will adopt certificate authentication for mail migrations

Tue, 19 Jan 2021 21:00:00 GMT 0

FastTrack Migration team to adopt certificate authentication for mail migrations
FastTrack Migrations team is implementing certificate based authentication for Exchange and Gmail.

Awareness Only


Join the discussion about the certificate-based authentication for Exchange and Gmail in Yammer.
 

Summary

FastTrack Migrations team is implementing certificate based authentication for Exchange and Gmail.

  • This change applies to commercial tenants.
  • The change change does not apply to GCC/GCC-High/DOD.

The CA pilot is currently active and accepting new customers. If you wish to participate in the pilot please reach out to Ashish Joshi (ashish.joshi@microsoft.com) or Manny Acevedo (manny.acevedo@microsoft.com).

Context

FastTrack performs Mail Replication Service (MRS) based migrations from Gmail or Exchange on premises to Exchange Online. The FastTrack migration team leverages user accounts with migration privileges. These ‘Migration Accounts’ are provided by customers for the FastTrack team and are not MFA (Multifactor Authentication) enabled. The FastTrack migration tools establish PowerShell sessions with the customer’s tenant and execute migration commands.

Moving forward

To make these ‘Migration Accounts’ more secure, the FastTrack migration team is using App-only authentication in EXO v2 to execute migration commands. This will allow FastTrack to use Azure AD (Azure Active Directory) apps with certificate based authentication for performing migrations rather than just Username/Passwords. This feature will help customers create the required App IDs, upload the FastTrack generated certificates to the FastTrack Migration Hub portal, store the certificates in customer specific Azure Key Vaults and finally, update the migration tooling to use certificate-based authentication for PowerShell connections to execute migrations.

Where do I get my certificate?

The certificate will be generated by FastTrack’s Migration Hub. The customer will be able to download the certificate from their project card for Exchange/Gmail migrations. The certificate is part of the script download package. The script will do all of the work to configure certificate authentication for the customer migration.

What is the benefit of the Certificate Authentication?

Using the certificate, the FastTrack provided script uses the Active Directory Authentication Library to fetch an app-only token using the Application ID, Tenant ID (organization), and certificate thumbprint. The application object provisioned inside Azure AD has a Directory Role assigned to it, which is returned in the access token. Exchange Online configures the session Resource Based Access Control (RBAC) using the directory role information that is available in the token.

Certificate generation, and storage

The certificate is generated by FastTrack and stored within the customer specific Azure Key Vault (AKV). FastTrack only uses the public key of the certificate to generate the service principal name (SPN). The certificate’s private key is never used and/or shared during the process and will always stays within the Microsoft security boundary for that customer.

How is the certificate used within certificate authentication?

The certificate is used to ‘certificate enable’ the Service Principal Name (SPN) which will function as the customer's Cloud Migration Account. The certificate will grant the required permissions on the customer tenant to the service principal name (SPN), require the customer to grant admin consent to the SPN and validate that the configuration is correct for your migration.

Impact

  1. Another communication will be sent when the feature is Generally Available.
  2. The script provided by FastTrack will do all the work required to configure certificate authentication. The script will be downloadable via the customers Project Card.
  3. O365 migration accounts will no longer be required.
  4. Certificates expire every 2 years. However, the customer may roll the certificate at any time by re running the script provided by FastTrack.
  5. Once certificate authentication is configured, the Migration Engine will only use certificate AUTH as its default authentication mechanism. Migration Engine will not revert back to Username/password authentication should the certificate authentication fail. The batch will fail.
  6. Certificate AUTH will be the default configuration for all mail migrations save IMAP. All customers must transition to ECA by April 30th, 2021. On May 1, 2021, your customer should be using certificate authentication as their authentication method or their batches will fail.
  7. Events that were scheduled BEFORE certificate authentication is configured will continue to run without further manual intervention.
  8. Customer communications will be via the FastTrack Portal Notification Banner. The banner will let the customer know that the change is coming starting on Feb 1st. Certificate authentication information and instructions will be posted in the Learning Center for Exchange and Gmail migrations.
  9. IMAP migrations using certificate authentication are TBD.

Action Required

  • Please inform your customer of the pending change.
  • Assist with configuration of certificate authentication if required.
Post a comment

FRP News and alerts

Access the latest news regarding the FRP program.

Options

Blog Home Feed

Tags

Archive

December 2025 1 November 2025 1 September 2025 1 April 2024 1 February 2024 1 October 2023 1 August 2023 1 June 2023 1 May 2023 1 July 2022 1 April 2022 2 March 2022 7 February 2022 3 January 2022 6 December 2021 3 November 2021 3 October 2021 7 September 2021 6 August 2021 4 July 2021 9 June 2021 8 May 2021 13 April 2021 3 March 2021 3 February 2021 5 January 2021 4 December 2020 1 November 2020 2 October 2020 1 August 2020 1 June 2020 1 May 2020 1